tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Smith <d...@cornell.edu>
Subject Re: Single sign on issue with Tomcat and Apache
Date Wed, 04 Jun 2008 01:10:52 GMT
sridharmnj wrote:
> My understanding:
>
> When server receives a request for a secured resource first time (depending
> on url-pattern and security constraint settings in web.xml), first it asks
> for credentials using dialog box if its BASIC authentication or login form
> if its FORM authenticatin and performs authentication based on Realm (JDBC
> or JNDI or memory). If the user is authenticated successfully, it sets the
> Principal object in the request (you can see this using
> request.getUserPrincipal()). For subsequent requests, it checks everytime
> for the Principal object and flow continues.
>   
Pure basics.  I'll only say that with BASIC authentication, user 
credential are transmitted to the server on _every_ request -- even for 
images, javascript and css.

> When SingleSignOn valve (server.xml) is enabled, Tomcat allows the user to
> navigate to other app (which is deployed in the same server) with out
> prompting for authentication details again. Actually it shares the Principal
> object in the request.
>   
Right, but http is a stateless protocol and the client still has to 
provide something to let the server know it's been there before.  In the 
absence of url rewriting, it's usually a cookie.  Cookies can't cross 
domains.

> In my case as I am already authenticated in aaa.com, I am able to access
> bbb.com's dynamic data (which is deployed in tomcat) without providing the
> authentication details second time. But not able to access the bbb.com's
> static data which is deployed in apache.
>   
I'm getting that nagging feeling in the back of my head there's a 
combination of Apache Httpd and Apache Tomcat here.  If that's the case 
could you clarify what service is providing what resources?

> In normal flow, (without SSO), if I authenticate bbb.com's apache pages
> (using httpd and .htaccess), I could navigate to Tomcat's pages without
> providing the authentication details. Means, here apache is caching
> credentials using SOME mechanism (not only cookies. But something else.. I
> am not sure..this) and tomcat is using those credentials and not asking for
> authentication. 
>
>   
Since Apache *Httpd* is using BASIC, and every request includes 
credentials, this is normal.  Apache *Tomcat* would receive the same 
credentials in the BASIC auth header.

> I need the reverse functionality. Means, when I provide credentials in
> aaa.com (Tomcat Form based authentication) I should be able to navigate to
> bbb.com's apache pages. (anyhow I am able to access bbb.com's tomcat pages).
>
> I am sorry for lengthy message. But I tried to explain complete scenario.
>
>
> David Smith-2 wrote:
>   
>> I'll first admit that I've never used single sign-on, so most of this is 
>> educated conjecture on my part.  Hopefully it'll spark some discussion 
>> in the right direction.
>>
>> Your right -- jvm version is not going to make a difference with the 
>> issue you are seeing.  Plus upgrading the jvm may break the nine year 
>> old app -- an excellent case to be made to your client/boss for 
>> rewriting/upgrading the old app.
>>
>> The real problem is how the single sign-on id is getting from aaa.com to 
>> bbb.com.  Cookies won't work as the browser won't return a cookie for 
>> aaa.com to bbb.com.  That's a security problem if it does.  That leaves 
>> URL rewriting.  Are you doing anything to make sure the URLs for bbb.com 
>> have the single sign-on id in the url?  Seems like that's the only way 
>> for bbb.com to know it's getting a request from a previously 
>> authenticated user.
>>
>> --David
>>
>> sridharmnj wrote:
>>     
>>> I hope you did not observe the following lines from my post.
>>>   
>>>       
>>>> bbb.com is an old project which was developed around 9 yrs ago and I am
>>>> not allowed to modify/reengineer the architecture. 
>>>>     
>>>>         
>>> It is successfully running on those versions in production and client
>>> does
>>> not want to upgrade versions for time being. I dont think that the java
>>> version is creating any problem. Do you think so???
>>>
>>> My problem is not related to Java version upgrades and its out of scope
>>> for
>>> discussion here. I am sure Java version update alone doesnot solve the
>>> issue.
>>>
>>>
>>> Propes, Barry L wrote:
>>>   
>>>       
>>>> and you're stuck on Java 1.3.1 and cannot go forward?
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: sridharmnj [mailto:sridharmnj@yahoo.co.in]
>>>> Sent: Tuesday, June 03, 2008 4:17 PM
>>>> To: users@tomcat.apache.org
>>>> Subject: RE: Single sign on issue with Tomcat and Apache
>>>>
>>>>
>>>>
>>>> Apache 2.0.50
>>>> Tomcat 5.0.27
>>>> Java 1.3.1
>>>>
>>>>
>>>> Propes, Barry L wrote:
>>>>     
>>>>         
>>>>> what versions are you using? Of each?
>>>>>
>>>>> -----Original Message-----
>>>>> From: sridharmnj [mailto:sridharmnj@yahoo.co.in]
>>>>> Sent: Tuesday, June 03, 2008 3:52 PM
>>>>> To: users@tomcat.apache.org
>>>>> Subject: Single sign on issue with Tomcat and Apache
>>>>>
>>>>>
>>>>>
>>>>> Hi,
>>>>> I am integrating two websites using single sign on. I have two sites
>>>>> namely
>>>>> aaa.com and bbb.com.
>>>>>
>>>>> When a user navigates from aaa.com, as he is already authenticated in
>>>>> it,
>>>>> he
>>>>> should be allowed to bbb.com without asking the credentials again. This
>>>>> is
>>>>> my requirement. 
>>>>>
>>>>> aaa.com is based on Tomcat Form based authentication and working fine.
>>>>>
>>>>> bbb.com's static data is deployed on apache and it requires apache
>>>>> BASIC
>>>>> authentication (htttd, and .htaccess). And dynamic data is deployed on
>>>>> Tomcat and based on Tomcat BASIC authentication.
>>>>>
>>>>> If I access static data of bbb.com, it first asks for credentials
>>>>> (Using
>>>>> a
>>>>> popup), authenticates using mod_auth_mysql, and once the user is
>>>>> authenticated, it is storing credentials in browser cache. When I
>>>>> navigate
>>>>> to dynamic content which is in tomcat, still its working without asking
>>>>> credentials twice. (I ensured that <realm-name> in web.xml and
AuthName
>>>>> in
>>>>> .htaccess file are same). 
>>>>>
>>>>> I enabled SingleSignOn valve in server.xml file, and trying to access
>>>>> bbb.com from aaa.com. When I try to access dynamic data of bbb.com from
>>>>> aaa.com, as both are based on Tomcat security, they are sharing the
>>>>> browser
>>>>> cached credentials. (Though one is based on form and another is based
>>>>> on
>>>>> basic authentication model). But, when I try to access bbb.com's static
>>>>> data
>>>>> (which is in apache) from aaa.com, again its asking credentials, using
>>>>> a
>>>>> popup.
>>>>>
>>>>> bbb.com is an old project which was developed around 9 yrs ago and I
am
>>>>> not
>>>>> allowed to modify/reengineer the architecture. 
>>>>>
>>>>> Could any one please guide me in right direction. I appreciate your
>>>>> help.
>>>>>
>>>>> Thanks,
>>>>> Sridhar 
>>>>> -- 
>>>>> View this message in context:
>>>>> http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17633391.html
>>>>> Sent from the Tomcat - User mailing list archive at Nabble.com.
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>>
>>>>>       
>>>>>           
>>>> -- 
>>>> View this message in context:
>>>> http://www.nabble.com/Single-sign-on-issue-with-Tomcat-and-Apache-tp17633391p17633917.html
>>>> Sent from the Tomcat - User mailing list archive at Nabble.com.
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>>
>>>>     
>>>>         
>>>   
>>>       
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>>     
>
>   


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message